AT&T iPad Hacker’s Real Crime Was Embarrassing the Wrong People

Photo: Ariel Zambelich/Wired

Disclosing a flaw in a widely used system without making someone at least a little angry requires a delicate touch. But Andrew Auernheimer, a.k.a. “Weev,” a 26-year-old finder of security vulnerabilities, is anything but delicate.

Two years ago, Auernheimer and a friend made a surprising discovery about the way AT&T was protecting its web database of iPad cellular data accounts: That is, AT&T wasn’t protecting it at all. Any customer could access his or her account data by going to an AT&T URL containing their iPad’s unique numerical identifier. No password, cookie, or login procedure was required to bring up a user’s private information. Auernheimer wrote a script to enumerate iPad IDs and promptly collected more than 100,000 e-mail addresses belonging to AT&T iPad users, which he shared with the Gawker news site to expose the AT&T flaw.

Because computer science has yet to discover a systematic way to find and fix all the vulnerabilities in real-world systems before they get deployed, independent security researchers who discover and report weaknesses have become an essential part of the security ecosystem. Continually poking at systems to seek out hidden flaws is the only hope we have of staying ahead of the bad guys, and the software industry has largely come to recognize that the motley assortment of academics, consultants, and hackers who look for security holes are a community to be cultivated and encouraged – even if the proof of vulnerability they bring may sometimes be painful and embarrassing.

But that doesn’t mean the ones who find an exploitable flaw in a fielded system can expect to be greeted as heroes.

Matt Blaze

Matt Blaze directs the Distributed Systems Lab at the University of Pennsylvania, where he studies cryptography and secure systems. Prior to joining Penn, he was a distinguished member of technical staff at AT&T Bell Labs. He can be found on Twitter at mattblaze.

How to best disclose a newly discovered vulnerability is a matter of some controversy, and highly dependent on where one happens to be sitting. Vendors want the chance to address problems before they become public. Users want to know immediately about the flaws in the systems they depend on. The security community wants to study and build on new discoveries. Researchers want credit for their discoveries, and worry they might be “scooped” by someone else: publish or perish.

And everyone thinks their moral high ground is superior to all the others’.

This is the sort of quandary that security researchers grapple with all the time, and we don’t always agree on where the lines of ethical disclosure should be drawn. There’s a lot of room to agree to disagree about how to handle security flaw discoveries like this one. But Auernheimer’s problems go beyond philosophical disagreement: Last week, he was convicted in federal court of identity theft and conspiracy to access AT&T’s computers without authorization. He’s now a felon, and faces jail time.

Yes, AT&T would have preferred to have been notified first (and better yet, exclusively). But if Auernheimer was able to find such a simple and devastating problem, couldn’t someone else have already discovered the same thing and been exploiting it for nefarious purposes? It might be better to publicize the flaw quickly, lest AT&T put its public-relations interests ahead of user security interests.

Independent individuals who discover and report weaknesses have become an essential part of the security ecosystem.

Because AT&T isn’t the only stakeholder here.

And how can accessing a public URL be “unauthorized”? AT&T were the ones who made the un-encrypted data publicly available; how could Auernheimer have known that AT&T wasn’t deliberately (if ill-advisedly) publishing its customer database, perhaps as part of some service or application?

The charges seem a little dubious, but the verdict is in, and these are now questions for the appeals court.

“Respectable” security researchers might look at this case and rest smugly assured that, whatever the legalities, this would never happen to them. Auernheimer may have behaved needlessly antagonistically toward AT&T; maybe he didn’t need to download all those email addresses to make his point.

Maybe.

Ultimately, it’s hard to not to wonder if Auernheimer was charged not so much for his conduct, but for provoking AT&T’s wrath with unwelcome news. That’s what should send a deep chill down the spines of security researchers everywhere.

No matter how careful we may try to be, there’s no telling who might get angry next. How can our delicate security ecosystem survive if embarrassment becomes a crime?